‘Microsoft gives zero-day exploits to US government’

From Bloomberg: “Microsoft, the world’s largest software company, provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix, according to two people familiar with the process. That information can be used to protect government computers and to access the computers of terrorists or military foes.” The lid has officially been blown off.

About The Author

67 Comments

So Windows is more “secure” only if you’re government. Any new government backdoors you’d like to tell us about, Microsoft?

I don’t normally care a whole lot about the pros and cons of proprietary vs. open source… but Microsoft just gave free and open source software one hell of a boost. Once again, I am amazed. Government (and paying corporations/partners) above literally everyone else.

I don’t normally care a whole lot about the pros and cons of proprietary vs. open source… but Microsoft just gave free and open source software one hell of a boost.

Not at all. Unless you are going to examine every bit of code that goes on your machine, it’s entirely possible for open source software to have these backdoors just as much as, if not more than, proprietary software. Peer code review is easy enough to slip something by, especially if it manifests no obvious symptoms and considering how many various distributions patch their software in custom ways. Are you going to examine every patch? Every update? No? Then you could be just as vulnerable as anyone running Windows.

There are more people from different parts of the world looking at the code and commits. Sure, something could slip by but the chances is pretty slim. The chances the project will keep important security issues from you in order to appease the U.S government are also much smaller.

What is exactly what happens. Code like those of the Linux Kernel is permanently reviewed. No single patch goes in without multiple reviews from different people, without the patch being public available.

The nature, read license, also makes sure all distributors publish there patches, even try to get them proactive upstream.

Are you going to examine every patch? Every update?

That is whats happening, yes. There are 1000 times as much reviewers as coders and not everybody needs to cross-check everything again. A chain of trust and shared work. Get used to it, its the present and future cause this days software like a Kernel is to complex for individuals.

So Windows is more “secure” only if you’re government. Any new government backdoors you’d like to tell us about, Microsoft?

This may come as a shock do you, but the term “backdoor” doesn’t actually refer to selective disclosure of security vulnerabilities. But hey, don’t let reality get in the way of your self-righteous posturing.

I don’t normally care a whole lot about the pros and cons of proprietary vs. open source… but Microsoft just gave free and open source software one hell of a boost.

Sure, if you prefer to have your systems compromised by Russian/Chinese/Eastern European criminals:

Uhhh…if you trust ANY OS then you honestly deserve what you get, or did you forget the stink a few years back about some NSA guys working on critical parts of BSD?

The moral of this story is don’t use IE, have a decent firewall, and pay attention to what is going on with your PC and network. MSFT can give first dibs to the king of the moon for all I care, they can slam into my firewall and join all the Chinese and Eastern EU hackers that slam against it every day, good luck.

And even ignoring that little security fact, it also raises the question: “If the company is willing to go that far to appease the government, then what else might they be doing for them?”

The security fact is that government has a lot more to loose than you do if they are caught with an un-patched but exploited vulnerability. I don’t see this as “appeas[ing] the government” but common sense.

The security fact is that government has a lot more to loose than you do if they are caught with an un-patched but exploited vulnerability. I don’t see this as “appeas[ing] the government” but common sense.

They also have a lot more to gain than I do when attempting to breach security and infiltrate the computers of other worldwide governments, thanks to being the only people (besides Microsoft itself and likely a few other U.S. government organizations) to know about these zero-day exploits. Shit, all I would gain is “FELONY” on my record and a prison sentence.

I truly don’t know why the f*** non-U.S. governments continue to use Microsoft software at this point. I wonder if all this news since the data collection broke will eventually cause governments around the world to begin seriously considering non-U.S. alternatives. If so, well done again U.S. Government–you’re continuing to run your economy into the ground.

They also have a lot more to gain than I do when attempting to breach security and infiltrate the computers of other worldwide governments, thanks to being the only people (besides Microsoft itself and likely a few other U.S. government organizations) to know about these zero-day exploits. Shit, all I would gain is “FELONY” on my record and a prison sentence.

Other governments and even large corporations are within their rights to demand the same from Microsoft as a condition of licensing their software. As individuals, it might not be easy or possible to demand the same, but there is nothing stopping you from trying.

If I were a foreign government, I would not trust for a second Microsoft to not have the deal in such a way that their own government–the U.S.–gets special privileges above all others. And what’s stopping the U.S. from demanding that? I wouldn’t trust them to give all governments a level playing field–clearly a large part of the reason for doing this (aside from security of their own systems) is to exploit other government systems. When that’s the case, do you really expect them to play fair?

Instead of focusing only on Microsoft I would like to know what the other commercial OS vendors do.

Agree! And I’d also like to know what major open source vendors do. In a situation like this, one is no less vulnerable than the other and, as no one reviews the code of a full distribution in its entirety (that’s far too much code for one person), slipping a back door in would be child’s play for agents especially if said distribution (as most do) uses many custom patches.

The information is only something worth if it can be used. Flame and Stuxnet, both NSA products but sure there are many more, where using plenty Windows zero-day exploits for years. Now we know the story behind.

You don’t see the problem with deliberately delaying fixing security issues with a very widely-used OS?

How does advanced notification equate to delaying fixing? [/q]

In the same way that “trolling” equates to expressing any strong opinion, or in the same way that “patent trolling” equates to any litigation related to patents, or in the same way that “shill” equates to making any statement in defense of an unpopular company, etc etc etc….

This is what online debate has become: the dilution of the meaning of well-defined terms, due to deliberate “linguistic escalation.” Someone calls you a fanboy? Then you call them a troll… then they retaliate by calling you a a shill, so you call them an astroturfer, ad infinitum.

The object is to find the most damning label you can think of, and to hell with accuracy!

You don’t see the problem with deliberately delaying fixing security issues with a very widely-used OS?

And where does the article say anything about Microsoft delaying the public release of security fixes? Hint: it doesn’t, you’re just conflating “early alert” with deliberate delays in providing security fixes.

NSA to Public: If you’ve doing nothing wrong there is nothing to worry about us looking at your communications.

ANSWER(Pubic back to NSA): Tough! You have NO right to eaves drop on our communications. None!

(and I hope eventually one day the tools will exist and made ‘simple’ and that then the public at large will start using onion routers, hidden services, distributed DNS alternatives, encryption, perhaps even some ‘alternative routing’ of some traffic ‘off the mainline internet’..e.g. over city wide wifi networks or similar.

Before then, I hope some smart-asses start a viral phenomenon of using SEO inspired tools/ ‘apps’ to INSERT AI driven and grammatically correct/functional ‘naughty keywords’ – all the kinds of obvious things I’m not going to mention here that might be likely to be spied upon INTO EVERY TRIVIAL non-sensical, and umimportant email, social network, blog post, message board etc.. as they can stomach …i.e. make and awful lot of the little bits of the hay in the stack look like needles… it’s what they deserve!

Public to NSA: We want more transparency, if *you’re* doing nothing wrong you won’t mind.

ANSWER(NSA back to Public): stoney echoey silence. (not a hint of regret, remorse or mutual open discussion ) ;

you’re just Apes like the rest of us Mr Government and Mr NSA – you’re not special. You have NO more rights. Even if you ‘granted them to yourselves’ !

Huawei is a threat to US national security and the power of US foreign intelligence agencies outside of US.(I’m so sorry Ausies, but it seems that your government is deep in US’s foreign intelligence pocket)

But where did that zero day exploit come from? Some of them come from code inspection, fuzzing and white-hat hackers. But most of them come from inspection of hacked machines which means that zero-day exploit is already out there being used by the bad guys.

The notification delay is so that the exploit is only used by a few bad guys instead of the entire Internet.

The US government considers big corporations to be undercover cops – they can blatantly break most laws (tax evasion, IT theft, anti-competive behavior) as long as they provide a steady stream of “essential” information.

Now we know one of the reasons they created it, and why many on USA were so pissed-off about that.

Buwahahahaha! Riiiiiiiiiiiight, the GFW is purely a defensive measure… I’m sure it has nothing to do with China being one of the most censorship-happy regimes in the industrialized world, not to mention their history of draconian control over what information their citizens can access. After all, we know that people in China can easily access sites with information about Tienanmen Square, or Tibetan/Taiwanese independence… oh, wait.

Congrats, you’ve posted what has to be the dumbest, most absurd claim I’ve seen in this entire thread. And that’s saying something, given the stiff competition.

Buwahahahaha! Riiiiiiiiiiiight, the GFW is purely a defensive measure… I’m sure it has nothing to do with China being one of the most censorship-happy regimes in the industrialized world, not to mention their history of draconian control over what information their citizens can access. After all, we know that people in China can easily access sites with information about Tienanmen Square, or Tibetan/Taiwanese independence… oh, wait.

The inconvenient facts:

Tibet has been considered a part of China for over 2500 years. The Tibetan llamas ran a brutally repressive feudal system. Western supporters of Tibetan independence are essentially useful idiots. [In public the Dalai Llama hides his true opinions such as his absolute hatred of homosexuality.]

Chinese citizens can travel freely to many Western countries.

There are daily flights between Taiwan and mainland China.

Hundreds of thousands of Chinese students study at western universities.

Six million Chinese citizens in Hong Kong have uncensored internet access.

There is a great deal of robust online discussion and social networking in China.

Buwahahahaha! Riiiiiiiiiiiight, the GFW is purely a defensive measure… I’m sure it has nothing to do with China being one of the most censorship-happy regimes in the industrialized world, not to mention their history of draconian control over what information their citizens can access. After all, we know that people in China can easily access sites with information about Tienanmen Square, or Tibetan/Taiwanese independence… oh, wait.

The inconvenient facts:

Tibet has been considered a part of China for over 2500 years. The Tibetan llamas ran a brutally repressive feudal system. Western supporters of Tibetan independence are essentially useful idiots. [In public the Dalai Llama hides his true opinions such as his absolute hatred of homosexuality.]

Red herring, that doesn’t actually address any of the points I made or the ridiculous claim that I was responding to.

Many of the original inhabitants of North & South America were just as brutal (if not more so, ritual human sacrifice and all that)… and because of that, you would be OK if the US government blocked their citizens from accessing information about, say, the Trail of Tears?

Chinese citizens can travel freely to many Western countries.

There are daily flights between Taiwan and mainland China.

Hundreds of thousands of Chinese students study at western universities.

There is a great deal of robust online discussion and social networking in China.

Relevance?

Oh, and you left out another interesting fact: China is also second only to Russia when it comes to turning a blind eye to actual cybercrime, (just as long the crimes are only committed against westerners).

Six million Chinese citizens in Hong Kong have uncensored internet access.

In other words: the only way for Chinese citizens to avoid internet censorship is to live somewhere other than China. Noted.

What part of “ONE of the reasons” you missed? What I left subtle on my comment and, unluckily, one thing that strongly ties USA and China governments is that them both are paranoid states where the powerful elite are more than willing to sacrifice the liberty and privacy of their citizens to justify the maintaining of the status-quo.

They label and treat their own people and other countries under suspicion flag and as so they prepare the communication infra-structure with barriers and traps, frequently overstepping their own legal systems. This is what USA did as also China. They both went to extreme extents on that. USA, China, Russia and some other countries have power circles that are way too poisonous.

What I left tacit is not that China already did know about PRISMA but that paranoid countries act on presumption and that they use all available disinformation techniques to gain some advantage. Specifically, on USA case, many politicians and members of the government went public to criticize the GFC when they probably already knew about the USA spy efforts. I guess, it is too much to assume the all readers will infer that. Well, I hope your self-confidence on your cognitive abilities do not get affected.

Please. It really doesn’t matter hether you claim it as one reason, or the sole reason – it’s still an absurd, completely unsubstantiated claim. Bullshit is still bullshit, the quantity doesn’t change that.

What I left subtle on my comment and, unluckily, one thing that strongly ties USA and China governments is that them both are paranoid states where the powerful elite are more than willing to sacrifice the liberty and privacy of their citizens to justify the maintaining of the status-quo.

They label and treat their own people and other countries under suspicion flag and as so they prepare the communication infra-structure with barriers and traps, frequently overstepping their own legal systems. This is what USA did as also China. They both went to extreme extents on that. USA, China, Russia and some other countries have power circles that are way too poisonous.

I hate to use this twice in one month, but…

False equivalence is a logical fallacy which describes a situation where there is a logical and apparent equivalence, but when in fact there is none.

[…]

A common way for this fallacy to be perpetuated is one shared trait between two subjects is assumed to show equivalence, especially in order of magnitude, when equivalence is not necessarily the logical result.

What I left tacit is not that China already did know about PRISMA but that paranoid countries act on presumption and that they use all available disinformation techniques to gain some advantage. Specifically, on USA case, many politicians and members of the government went public to criticize the GFC when they probably already knew about the USA spy efforts.

False equivalence, once again – you do realize that spying is not the same thing as censorship, right?

I guess, it is too much to assume the all readers will infer that. Well, I hope your self-confidence on your cognitive abilities do not get affected.

Wow. I hope you used plenty of lubricant, wouldn’t want you to get chafed from stroking your own ego so enthusiastically.

Please. It really doesn’t matter hether you claim it as one reason, or the sole reason – it’s still an absurd, completely unsubstantiated claim. Bullshit is still bullshit, the quantity doesn’t change that.

Let me see, it is bullshit because you said so?

False equivalence, once again – you do realize that spying is not the same thing as censorship, right?

And you do realize that they are not mutually exclusive do you? USA has been doing censorship and spying since forever. You do not believe me right? So, what do you think are the so called “classified information” that is all over the place? Also, go and read history facts about human tragedies triggered by USA actions all around the globe. No that big difference to me between USA government elite and the their bad pals around the globe.

And please, stop projecting your own sexual fantasies on others, keep them to yourself, there are some things that are better to maintain private. 😉

Please. It really doesn’t matter hether you claim it as one reason, or the sole reason – it’s still an absurd, completely unsubstantiated claim. Bullshit is still bullshit, the quantity doesn’t change that.

Let me see, it is bullshit because you said so?

Now you’re just being deliberately obtuse. It’s bullshit because it’s directly contradicted by numerous, widely known facts about the GFC. And it’s bullshit because you haven’t provided a single source or shred of evidence to substantiate up your claim. Hell, you haven’t even provided any reason to believe that the GFC would actually be EFFECTIVE in preventing spying.

So I guess we can also add “burden of proof” to the list of intellectual concepts that you fail to grasp.

False equivalence, once again – you do realize that spying is not the same thing as censorship, right?

And you do realize that they are not mutually exclusive do you?

Stop riding my coattails, kid – get your own material.

USA has been doing censorship and spying since forever. You do not believe me right? So, what do you think are the so called “classified information” that is all over the place?

False equivalence combined with confirmation bias – find me a single country in the world that DOESN’T classify information.

And you’re seriously trying to pretend that classifying sensitive information (for security purposes) is the same things as GFC-style censorship of politically-inconvenient information? People don’t resort to such blatant intellectual-dishonesty if they any valid argument left – your de facto admission of defeat is noted.

Also, go and read history facts about human tragedies triggered by USA actions all around the globe. No that big difference to me between USA government elite and the their bad pals around the globe.

More unsubstantiated claims. I’d challenge you to provide examples, but we both know that you either don’t have any – or you would just toss out some more red herrings that didn’t actually have anything to do with your claims. But hey, anything to justify your irrational, knee-jerk hatred of the US, right?

And please, stop projecting your own sexual fantasies on others, keep them to yourself, there are some things that are better to maintain private. 😉

An “I know you are, but what am I” flame, really? Tell you what, because I’m such a nice guy, I’ll give you a do-over. Maybe you’ll be able to come up with something a little less pathetic this time.

Now you’re just being deliberately obtuse. It’s bullshit because it’s directly contradicted by numerous, widely known facts about the GFC. And it’s bullshit because you haven’t provided a single source or shred of evidence to substantiate up your claim. Hell, you haven’t even provided any reason to believe that the GFC would actually be EFFECTIVE in preventing spying.

This is really getting ridiculous. I did not say that China did it because they already knew about PRISM, you created this in your own obtuse mind, I said that one of the reasons they probably did it was because paranoid states try to act preventively and, as you probably know, one of the nice functionalities of firewalls is to protect against external threats, and PRISM is clearly one. I said also that many public figures of USA power complained about GFC and that they probably already knew about PRISM, this is well documented, just google for it, and this is the same as a neighbor that likes to walk on others flowers complain that putting a fence makes the neighborhood ugly. You are the one arguing that China did it ONLY to prevent their citizens to get information abroad. A big and narrow minded assumption if you ask me. So burden of proof applies very well to your case.

False equivalence combined with confirmation bias – find me a single country in the world that DOESN’T classify information.

Please! I never said that other countries do not do that, what I said, again, is that paranoid government are more inclined to do so and that they can even do it in ways that do not follow their own legal systems.

More unsubstantiated claims. I’d challenge you to provide examples, but we both know that you either don’t have any – or you would just toss out some more red herrings that didn’t actually have anything to do with your claims. But hey, anything to justify your irrational, knee-jerk hatred of the US, right?

I guess you only studied history on USA books. USA invaded Iraq on false premises or, even worst, already knowing that the claims were false. Where are the mass destruction weapons? All that after, some years before, they tried to undermine Iran giving weapons to Saddam Hussein to act as proxy. What about the innocent people killed on Afghanistan by the many and documented irresponsible actions? The military of many South American nations actively overthrew legitimate democratic chosen leaders with USA help. Killings, torture and other forms of human rights violations were abound on all that cases and USA elite power has their fingers dirt with blood because of these. Ignoring history is really one option.

Note also that I never said the American people should be accountable for the bad things. I visited many times the country and I really like the place and the many friends I have there, but sure enough many from the elite should be lawfully punished.

The rest of your arguments are all alike, just nonsense ramblings or full of assumptions about not said things.

This is really getting ridiculous. I did not say that China did it because they already knew about PRISM

What? Where did I ever state otherwise? (Hint: I didn’t). If you’re really that incapable of basic reading comprehension, that would explain a few things…

you created this in your own obtuse mind

Hey look, I have my own personal copycat – how adorable.

In your next reply, be sure to include something along the lines of “no, YOU have bad reading comprehension” (if you’re going to be lazy and witless, then you might as well be consistent about it).

You are the one arguing that China did it ONLY to prevent their citizens to get information abroad. A big and narrow minded assumption if you ask me. So burden of proof applies very well to your case.

You really are fond of the “I know you are, but what am I” schtick, aren’t you? Hate to break it to you, but I never actually claimed that domestic censorship was the only reason for the GFC – just the primary reason. And 3 posts in, you STILL haven’t provided anything to back up your claims, other than vague supposition.

Also, burden of proof doesn’t work that way. You made the initial claim, you failed to substantiate it in any way, so the burden of proof was (and still IS) yours.

I guess you only studied history on USA books.

Too bad I’m not actually an American, genius. I was waiting for someone to make that lazy assumption – and you were the first one gullible enough to take the bait, congrats!

The rest of your arguments are all alike, just nonsense ramblings or full of assumptions about not said things.

Right, that must be why your counter-“arguments” have consisted of nothing more than dodging, backpedaling, and willful ignorance.

Buwahahahaha! Riiiiiiiiiiiight, the GFW is purely a defensive measure… I’m sure it has nothing to do with China being one of the most censorship-happy regimes in the industrialized world … but I never actually claimed that domestic censorship was the only reason for the GFC – just the primary reason.

Again, more of your assumptions, over which we can not be sure about. Perhaps you have some form of insider information. As I said, mine are suppositions about pattern behavior of paranoid states.

Too bad I’m not actually an American, genius. I was waiting for someone to make that lazy assumption

You again jumping on assumptions. I never said you had American citizenship, only that you where “following lessons” from “American books” for whatever reason. This is a big difference, but as I said, you like to put your thoughts on others minds.

Right, that must be why your counter-“arguments” have consisted of nothing more than dodging, backpedaling, and willful ignorance.

Not at all, you asked me to back my argument that USA and China elites are alike on the way they treat their citizens, granted, USA may not be as bad, but both are not examples of respect to privacy, liberty and human rights, as I have illustrated by history facts on USA case.

Redmond, Washington-based Microsoft (MSFT) and other software or Internet security companies have been aware that this type of early alert allowed the U.S. to exploit vulnerabilities in software sold to foreign governments, according to two U.S. officials. Microsoft doesnâ€™t ask and canâ€™t be told how the government uses such tip-offs, said the officials, who asked not to be identified because the matter is confidential.

Frank Shaw, a spokesman for Microsoft, said those releases occur in cooperation with multiple agencies and are designed to give government â€œan early startâ€ on risk assessment and mitigation.

If “you” think this is some kind of conspiracy against the people, you’re a total moron.